2. With the view to further strengthening the aforesaid framework, particularly in respect of monitoring of cyber threats and cyber resiliency, the matter was discussed with SEBI’s Technical Advisory Committee (TAC), SEBI’s High Powered Committee on Cyber Security (HPSC-CS) and the MIIs.

3. Accordingly, it has been decided that MIIs shall have a Cyber Security Operation Center (C-SOC) that would be a 24x7x365 set-up manned by dedicated security analysts to identify, respond, respond, recover and protect from cyber security incidents.

4.7. MIIs to adopt security automation and orchestration technologies in C-SOC to automate the incident identification, analysis and response as per the defined procedures.

5. Further to the above, the C-SOC of MII shall, at the minimum, undertake the following activities:

5.1. In order to detect intrusions / security incidents in real time, the C-SOC should monitor and analyze on a 24x7x365 basis relevant logs of MII’s network devices, logs of MII’s systems, data traffic, suitable cyber intelligence (intel) feeds sourced from reliable vendors, inputs received from other MIIs, inputs received from external agencies such as CERT-In, etc. The cyber intelligence (intel) feeds may include cyber news feeds, signature updates, incident reports, threat briefs, and vulnerability alerts.

5.2. To this end, appropriate alert mechanisms should be implemented including a comprehensive dashboard, tracking of key security metrics and provide for cyber threat scorecards.

5.3. The C-SOC should conduct continuous assessment of the threat landscape faced by the MII including undertaking periodic VAPT (Vulnerability Assessment and Penetration Testing).

5.4. The C-SOC should have the ability to perform Root Cause Analysis, Incident Investigation, Forensic Analysis, Malware Reverse Engineering, etc. to determine the nature of the attack and corrective and/or preventive actions to be taken thereof.

5.5. The C-SOC should conduct periodic (at the minimum quarterly) cyber attack simulation to aid in developing cyber resiliency measures. The C-SOC should develop and document mechanisms and standard operating procedures to recover from the cyber-attacks within the stipulated RTO of the MII. The C-SOC should also document various scenarios and standard operating procedures for resuming operations from Disaster Recovery (DR) site of MII.

5.6. The C-SOC should conduct periodic awareness and training programs at the MII and for its members / participants / intermediaries with regard to cyber security, situational awareness and social engineering.

5.7. The C-SOC should be capable to prevent attacks similar to those already faced. The C-SOC should also deploy multiple honey pot services which are dynamic in characteristics to avoid being detected as honey pot by attackers.

6. As building an effective C-SOC requires appropriate mix of right people, suitable security products (Technology), and well-defined processes and procedures (Processes), an indicative list of areas that MIIs should consider while designing and implementing a C-SOC are as follows:

6.1. The MII shall ensure that the governance and reporting structure of the C-SOC is commensurate with the risk and threat landscape of the MII. The C-SOC shall be headed by the Chief Information Security Officer (CISO) of the MII. The CISO shall be designated as a Key Managerial Personnel (KMP) and relevant provisions relating to KMPs in the SEBI Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2012 and the subsequent circulars issued by SEBI relating to KMPs, shall apply to the CISO.

6.2. While the CISO is expected to work closely with various departments of MIIs, including MII’s Network team, Cyber Security team and Information Technology (IT) team, etc., the reporting of CISO shall be directly to the MD & CEO of the MII.

6.3. The roles and responsibilities of CISO may be drawn from Ministry of Electronics and IT notification No. 6(12)/2017-PDP-CERT-In dated March 14, 2017.

6.5. Each MII is advised to formulate a Cyber Crisis Management Plan (CCMP) based on its architecture deployed, threats faced and nature of operations. The CCMP should define the various cyber events, incidents and crisis faced by the MII, the extant cyber threat landscape, the cyber resilience envisaged, incident prevention, cyber crisis recognition, mitigation and management plan. The CCMP should be approved by the respective Standing Committee on Technology / IT-Strategy Committee of the MIIs and the governing board of the MII. The CCMP should also be reviewed and updated annually.

6.6. The C-SOC should have well-defined and documented processes for monitoring of its systems and networks, analysis of cyber security threats and potential intrusions / security incidents, usage of appropriate technology tools deployed by C-SOC, classification of threats and attacks, escalation hierarchy of incidents, response to threats and breaches, and reporting (internal and external) of the incidents.

6.7. The C-SOC should employ domain experts in the field of cyber security and resilience, network security, data security, end-point security, etc.

6.9. The C-SOC should document the cases and escalation matrices for declaring a disaster.

7. In view of the feedback received from MIIs, it has been decided that MIIs may choose any of the following models to set-up their C-SOC :

(i) MII’s own C-SOC manned primarily by its internal staff,

(ii) MII’s own C-SOC, staffed by a service provider, but supervised by a full time staff of the MII. (Refer to 7.3)

(iii) C-SOC that may be shared by the MII with its group entities (that are also SEBI recognized MIls),

(iv) C-SOC that may be shared by the MII with other SEBI recognized MII(s).

7.1. The responsibility of cyber security of an MII, adherence to business continuity and recovery objectives, etc. should lie with the respective MII, irrespective of the model adopted for C-SOC.

7.2. The respective risk committee(s) of the MII should evaluate the risks of outsourcing the respective activity.

7.3. The MII may outsource C-SOC activities in line with the guidelines as given in Annexure-A.

8. A report on the functioning of the C-SOC, including details of cyber-attacks faced by the MII, major cyber events warded off by the MII, cyber security breaches, data breaches should be placed on a quarterly basis before the board of the MII.

9. The system auditor of the MII shall audit the implementation of the aforesaid guidance in the annual system audit of the MII. The Scope and/or Terms of Reference (ToR) of the annual system would accordingly be modified to include audit of the implementation of the aforementioned areas.

10. Further, in continuation to the requirement specified at para 52 of the Annexure A to the aforementioned SEBI Circular dated July 06, 2015, the C-SOC shall share relevant alerts and attack information with members / participants / intermediaries of the MII, other MIIs, external cyber response agencies such as CERT-In, and SEBI.

11. MIIs are directed to take necessary steps to put in place appropriate systems and processes for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any, within six months from the date of the circular. In case wherein a MII currently has a C-SOC set-up that is different from that mentioned at para 7(i) – 7(iv), such MIIs are directed to adopt and transit to one of the models mentioned at para 7(i) – 7(iv) within a period of one year from the date of issuance of this circular.

12. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 and Section 19 of the Depositories Act, 1996 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.